04/04/11

Accounts Payable Risk Matrices

Contributed August 29, 2001 by julia.bird@phoenix.gov

City Auditor Department

SAP – Accounts Payable
Control Matrix

The attached control matrix is the result of updating the post-implementation control matrix. The matrix outlines risks and controls.
Controls will be validated and tested in the 2000-01 file for SAP Application Controls for Accounts Payable (File number 1010043)

The FI-AP module process all invoices related to regular invoices, and invoices related to DPO’s and COR’s. Invoices related to
PO’s are entered in the MM module, and controls are tested there.

This matrix will be helpful in identifying the risks and controls over Accounts Payable processing. The 2000-01 fiscal year audit
work can be relied upon for a review of internal controls over SAP & Central Accounts Payable processing. However, it will still
be necessary to evaluate individual department’s business processes and sample transaction when conducting audits of individual
departmental expenditures.

The control matrix contains 4 categories:

1) Vendor Master
2) Invoice Processing
3) Invoice Verification
4) Disbursements

1
 04/04/11
Accounts Payable Risk Matrices

N Risks Possible Risk Controls P Audit Teammate SOC

o Negative (High / Step Ref
Results / Med D
/
Low)
Vendor Master
1 Users may have Financial H 1. Appropriate transaction P 1a. Review user
unauthorized access to Loss due codes and other object profile for
update vendor master to authorizations should be reasonableness of
files. payments assigned to authorized users. access.
made to The following transactions
incorrect need to be restricted: 1b. Review the
vendor. • Create, change and display Vendor Master
(fraud) master records File for changes
that have been
• Block and unblock master made and verify
records that all of the
users who made
• Mark record for deletion the changes have
the appropriate
2. Incompatible segregation of Vendor Master
duty transactions such as the Change profile.
following are restricted:
• Create/change vendor 2. Review user
master data and accounts P profile for
payable activities conflicting access
• Create/change vendor .
master data and process
warrants/distribute 3. Review user
warrants. profiles added for
A/P Vendor
3. Controller signs off on Master, for
security forms and check for Controller
these incompatibilities. approvals.

P
2 Creation or deletion of Financial H 1. Creation or deletion of a P 1,2. Select a
vendor master files Loss due vendor master file requires a sample of vendor
may not be authorized to vendor coding form master records
or detected. payments authorization by the created. Trace
made to appropriate users. information to
unapprove vendor coding
d vendor. 2. The vendor coding form will P form, and verify
(fraud) be attached with source proper
documents and the A/P authorization.
supervisor approves it. Then
the Accounts Admin Section 3. Verify
verifies AP Supervisor Accounts Admin
approval. reviews list of
modified/created
3. The Accounts Admin vendors.
Section reviews the SAP report D
(RFKABL00) listing modified

2
 04/04/11
Accounts Payable Risk Matrices

N Risks Possible Risk Controls P Audit Teammate SOC

o Negative (High / Step Ref
Results / Med D
/
Low)
vendors monthly. A sample of
new/changed vendors is agreed
to the vendor coding form.

3 Inaccurate or Unpaid H 1. Mandatory fields in the P 1. Observe a user

incomplete vendor vendors. vendor master file are defined creating a Vendor
data may be entered. and required. These fields Master Record,
Legal include payee name (other and document
liability required information depends mandatory fields
for non- on the Account Group). are required for
complianc entry.
e with 2. 1099 information is
governme requested prior to setting up 2. Observe a user
nt vendor master record. For tax- P creating a Vendor
regulation reportable vendors, the vendor Master Record,
s is blocked until the 1099 and verify the
information is provided 1099 is present,
or vendor is
3. Vendors with incomplete blocked for
info will be manually blocked payment.
from payment by AP staff.
P 3. Select a
4. Inappropriate override for sample of
mandatory fields are prevented unblocked vendor
by SAP. files and verify
they have the
5. The vendor coding form will P required
be attached with source information.
documents and the A/P
supervisor approves it. Then 4. Evaluate
the Accounts Admin Section override
verifies AP Supervisor authorizations (if
approval. any)

6. The system displays an error 5. Select a sample

/ warning message whenever of vendor master
there is erroneous or omitted records created.
vendor data during data entry. Trace information
to vendor coding
form.

6. Observe that an
error/warning
message appears
when erroneous
information is
entered, or
required
information is
omitted.
4 Sensitive fields, such Financial H 1. Alternative payees cannot P 1. List all master

3
 04/04/11
Accounts Payable Risk Matrices

N Risks Possible Risk Controls P Audit Teammate SOC

o Negative (High / Step Ref
Results / Med D
/
Low)
as Alternative Payees, loss. be set up in the vendor master vendor records
may be record without proper with an
inappropriately authorization. Alternate payees alternative payee.
completed and not are used for collectors, levies,
reviewed. IRS or AZ Department of 2. Select a sample
Revenue levies only. The from the list and
creation or modification of review supporting
alternative payee is subject to documentation
the same requirements as for accuracy and
setting up or changing a vendor proper approval.
master record.
3. Verify
2. The vendor coding form will Accounts Admin
be attached with source reviews list of
documents and the A/P modified/created
supervisor approves it. Then P vendors.
the Accounts Admin Section
verifies AP Supervisor
approval.

3. The Accounts Admin

Section reviews the SAP report
(RFKABL00) listing modified
vendors monthly. A sample of
new/changed vendors is agreed D
to the vendor coding form.

5 Duplicate vendor Incomplet M 1. A/P clerk checks for same P 1. Observe user
records may be e vendor name address, etc. when creating a vendor
created. reporting submitting or approving master record,
due to vendor master input form. and verify the
more than user checks for
one 2. A/P supervisor signs off on same name.
vendor vendor master input forms. P
number. 2. Select a
3. Standard naming sample of newly
Confusion conventions are used to reduce created vendor
when the possibility of duplicate P master records,
selecting vendor names and verify proper
vendor approval.
when
invoicing. 3. Observe
creation of vendor
names and verify
naming
conventions are
used.

4. Test vendor
master file for
duplicate records.
6 Housing / Election Financial H 1. Housing vendors are subject P 1. Perform same
vendors may not loss. to the same controls mentioned audit steps for

4
 04/04/11
Accounts Payable Risk Matrices

N Risks Possible Risk Controls P Audit Teammate SOC

o Negative (High / Step Ref
Results / Med D
/
Low)
receive the same level in Vendor Master points 1-5. Housing (and any
of review/control as other users with
centralized A/P vendor master
vendors. authorization

7 Unauthorized changes Financial H 1. The Accounts Admin D 1. Run the

to vendor master data loss Section reviews the SAP report RFKABL00
may go undetected. (RFKABL00) listing modified report, and ask
vendors monthly. A sample of users to explain
new/changed vendors is agreed the items.
to the vendor coding form.

5
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / Med D
/
Low)
FI Invoice Processing
1 Unauthorized users Financial H 1. Appropriate transaction P 1. Review user
may gain access to loss. codes and other object profile for
post invoice authorizations are assigned to reasonableness of
transactions into SAP. authorized users. The access.
following transactions are
restricted: 2. Rely on BASIS
• post, change, delete audit to identify
parked and ‘normal’ conflicting access.
documents
• park and release parked 3. Review user
documents profiles added for
• block and unblock A/P Invoice, for
documents. A/P supervisor
and Controller
2. Invoice posting capabilities approvals.
are segregated from the
following:
• vendor/bank master file
creation/change
• warrant distribution
• a/p approval/review

3. SAP security administrator

will also monitor.

2 Terminated or Financial M 1. A/P supervisor completes a P 1. Compare user

employees on loss. form to remove access when profiles for
extended leave of employees leave. Invoicing to
absence may have active employee
access to the system. 2. Finance SAP Team sends list
out lists to departments twice a
year identifying potential 2. Verify SAP
terminated employees Team sends out
lists.
3 Users may be able to Unauthori M 1. Workflow process: P 1. Select a sample
post high dollar zed large Supervisory approval of of invoices and
transactions without payments invoice, and Finance A/P verify supervisory
proper authorization. review & approval and central a/p
staff review.
2. Finance Dept Admin
Supervisor reviews all 2. Select a sample
payments greater than of invoices
$100,000. greater than
$100,000 and
verify Finance
Admin Supervisor
review.

6
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / Med D
/
Low)

D
4 Invalid invoices may Financial 1. Workflow process: P 1. Select a
be entered loss. Supervisory approval of sample of
invoice, and Finance A/P invoices and
review & approval verify supervisory
and central a/p
2. Original invoices are P staff review.
required as source document.
Supervisors must approve 2. Select a sample
paying on a fax or copy. of invoices and
trace information
to supporting
document.
5 Inaccurate or invalid Financial H 1. Intelligent and mandatory P 1. Observe the
data could be input loss. fields have been set up. entry of invoices,
when record first and the SAP
entered into SAP 2. SAP automatically required D controls for
supervisor approval of mandatory and
invoices. intelligent fields.

3. AP also traces information D 2,3. Select a

entered to the source sample of invoice
document. documents and
verify supervisor
and AP staff
approval, and
agree to source
document.
6 Invoices may not be Financial H 1. Workflow process: P 1. Select a sample
properly approved. loss. Supervisory approval of of invoices, and
invoice, and Finance A/P review for proper
review & approval. approval.

7 Invoice is posted into Financial M 1. System does not allow P 1. Enter an

SAP more than once. loss from duplicate invoices upon invoice twice, and
duplicate invoice entry if the invoice verify that the
invoices. number, vendor number and system does not
invoice date are the same. allow duplicate
Misstated invoice numbers.
financial 2. Finance staff reviews the
statements duplicate invoice report (zdup) D 2. Review copies
. daily. The report identifies all of the duplicate
invoices with the same invoice invoice report to
number and the same amount. verify that
Finance is
3. Original invoices are reviewing the
required as source document. report and taking
Supervisors must approve appropriate
paying on a fax or copy. P action.

4. AP staff physically stamp 3,4. Select a

7
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / Med D
/
Low)
“paid” on invoices after sample of
approval. invoices and trace
information to
supporting
document, and
verify invoice is
stamped “paid”.

5. Use ACL to
test for duplicate
invoices in a
variety of ways.
8 Invoice may be Financial H 1. Payee or amount can not be P 1. Observe
changed after it is loss. changed once supervisor has Finance AP staff
posted released PCD. trying to change
the payee or
amount after the
invoice is posted
to verify SAP
controls.
9 The original Misstated H 1. SAP will automatically P 1. Determine if
transaction is financial verify the following, before a SAP or Finance
inappropriately statements reversal entry is accepted: checks for
reversed out from the . • no cleared items reversal entries.
system. • original transaction was
Unpaid within the original posting 2. Verify that only
vendors module Finance AP
resulting supervisors have
in lost 2. Only Finance AP access to reverse
discounts, supervisors have access to do a document.
or late reversal documents (FB08,
fees. MR08), and a reason code is
required. Standard procedure
is to also enter information in
the text field.

10 Invoice may contain Financial H 1. The creator of the invoice or P 1. Select a sample
mathematical errors. loss manual PCD is responsible for of invoice
verifying the mathematical documents and
accuracy of the invoice. verify
mathematical
There are no subsequent accuracy of the
controls. invoice.
11 Invoices may be Financial H 1. Workflow process: P 1. Select a
incorrectly or loss from Supervisory approval of sample of
inaccurately keyed in duplicate invoice, and Finance A/P invoices and
through the FI module invoices. review & approval verify supervisory
and not through the and central a/p
MM module, which Misstated 2. Finance AP check for PO P staff review.
would bypass the financial reference on the invoice.
‘three way match’ statements 2&3. Observe
(PO, invoice and . 3. Finance AP identifies Finance AP

8
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / Med D
/
Low)
goods receipt) control invoices for commodities, and P process and verify
to detect any errors. investigates any commodities they check for PO
not being paid against a DPO, reference on the
COR, or PO. invoice, and they
check
4. Finance AP reconciles all commodities not
outstanding open items in g/l paid against a
account 291000. This g/l D DPO, COR or PO.
account recieves all GR (goods
receipts) and INV (invoices) 4. Review of g/l
posted. Thus Finance AP can account 291000.
identify:
• GR without INV
• INV without GR
• GR different from INV,
and vice versa

12 Invoice is not applied Misstated H 1. Creator of the invoice enters P 1-3. Observe
towards the related RF financial the RF# in a user-defined field. Finance AP
statements process and verify
2. Workflow process: the reviewer
Supervisory approval of P checks for RF#.
invoice, and Finance A/P
review & approval. 4. We did not test
for invoices with
3. Finance A/P staff approving RF references,
the invoice look for the RF# on P that were not
the invoice, and verify the applied to the PO.
number is on the SAP invoice. We relied on the
other controls.
4. After Finance AP staff
approves the invoice, SAP P 5. No test
verifies matching data (ie necessary.
vendor number) and
automatically updates the RF.

5. Departments are responsible D

for their budgets, and may
notice invoices not applied to
RF’s.

13 Invoices may not be Late M 1. Vendor inquiries are D 1. Review cycle

input in a timely payments investigated. time information
manner. to for timeliness of
vendors, invoice input.
resulting
in lost 2. Review report
discounts, on number of
or late invoices paid late.
fees.
14 Invoices that are Late M 1. Finance A/P management P 1&2. Review the

9
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / Med D
/
Low)
‘parked’ may not be payments monitors the number of items most recent report
posted and cleared on to and age in workflow inboxes. of invoices
a timely basis. vendors, parked, and
resulting 2. Finance AP management document the
in lost investigates all parked items D staff‘s comments.
discounts, over 2 weeks old.
or late
fees.
15 The General Ledger Misstatem H 1. The FI accounts payable and P 1. Select a sample
account balances may ent of FI general ledger are fully of invoices and
not be updated when a financial integrated within SAP. A verify that the
transaction is posted statements posting to the vendor account posting to the
into a Vendor Account . will automatically post to the vendor account
e.g., the reconciliation appropriate reconciliation agrees to the
process may not be account in the general ledger general ledger
correctly set-up. on a real time basis. GL posting.
account number 222000 is the
only reconciliation account.

16 Transactions may be Misstatem M 1. The workflow process is D 1. Select a sample

posted to the wrong ent of comprised of supervisory of invoices and
account / project / financial approval of invoice, and verify supervisory
business area. statements Finance A/P review & and central a/p
. approval. staff review.

2. SAP gives a warning P

message if posting information 2. Observe SAP
(ie Business Area /cost center) warning when
is not compatible. Business Area and
Cost Center are
3. Reconciliation account not compatible.
222000 is used to ensure
integrity between GL and AP D 3. Review items
sub-ledger. Direct posting to in the 222000 g/l
reconciliation account is account and
blocked. document the
staff’s comments.
17 Invoices may not be Lack of L 1. All supporting P 1. Select a sample
stored for payment document documentation (ie invoice) is of invoices and
disputes, etc. ation for stamped “paid” and filed. verify that
auditors. documents were
stored properly.
18 Posting keys for A/P H 1. SAP automatically selects P 1-2. Observe that
transactions may not posting keys based on input posting key
be restricted. information. controls are in
P place.
2. SAP requires the matching
of debits and credits before an
invoice is posted.
P

10
 04/04/11
Accounts Payable Risk Matrices

11
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P/ Audit Steps Teammate SOC

o Negative (High D Ref
Results / Med
/
Low)
Invoice Verification
1 Incorrect or invalid Financial M 1. The system requires entry P 1. Observe the 1 – IV3 1, 2
invoice data may be loss of the following information entry of =S
entered when the upon entry of the invoice: invoices, and the 2 – IV3
record is first entered • purchase order number SAP controls for
via the MM module. • document date mandatory and
• invoice number intelligent fields.
• total invoice amount
2. Observe data
2. The system automatically entry and verify
displays all lines of the related P SAP displays PO
purchase order and the value of limitations.
the related goods receipt (GR)
entered. Therefore AP staff
can select the line items
relevant to the specific invoice.

2 The tolerance limits Unauthori L 1. The tolerance limits used to P 1. Run the 1 – IV4 1=
for invoice zed large check on the three way match tolerance limit S
verification payments. process are set according to the report for AP 2 - IV3
procedures may be set City’s policies and standards. and MM, by
too high. The The standard is 10%, or $100 transaction key,
tolerance limit is used per line item. and compare the
to match the FI limits to the City
invoice with the MM 2. If the tolerance is exceeded, standards.
PO goods receipt. the system will not display the
PO line items. Then the AP 2. Observe the
clerk will not process the entry of invoices
invoice, and will notify and verify SAP
Purchasing of the discrepancy. warning message
and AP clerk
action.
3 Payment blocks may Financial 1. Payment blocks include: 1,2. Observe the IV3 1=
not be placed on loss due • Invoice amount exceeds entry of invoices O
invoices during the to PO amount by tolerance and verify SAP
invoice approval invoices limits warning message
process. being paid • The quantity on the and AP clerk
before invoice exceeds the action.
final quantity on the goods
approval. receipt (GR).
2=O
2. The system blocks the
payments automatically if one
of the above situations exists.
4 Purchase made Misstated M 1. Finance AP check for PO 1,2. Observe 1,2 – IV3
through PO is paid by financial reference on the invoice. Finance AP
PCD. statements process and 3 – IV4
. 2. Finance AP identifies verify they
invoices for commodities, and check for PO
investigates any commodities reference on the
not being paid against a DPO, invoice, and they

12
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P/ Audit Steps Teammate SOC

o Negative (High D Ref
Results / Med
/
Low)
COR, or PO. check
commodities not
3. Finance AP reconciles all paid against a
outstanding open items in g/l DPO, COR or
account 291000. This g/l PO.
account recieves all GR (goods
receipts) and INV (invoices) 2. Review of g/l
posted. Thus Finance AP can account 291000.
identify:
• GR without INV
• INV without GR
• GR different from INV,
and vice versa
5 Large outstanding Late H 1. If there is a quantity 1. Review of g/l IV4 NA
payable balances may payments variance where the quantity account 291000.
build up and not be to invoiced is different than the
reviewed on a regular vendors, quantity of goods received,
basis in the GR/IR resulting and if there is no further goods
general ledger in lost receipt recorded by the system,
account. An example discounts, the GR/IR account will not be
is the account where or late cleared automatically.
tolerance differences fees.
are posted. 2. A batch job is run to match
GR and IR entries within the
account on a daily basis.

3. Finance AP staff reviews

the GR/IR clearing account
monthly for long outstanding,
open items, and makes the
appropriate corrections.

13
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / D
Med
/
Low)
Disbursements
1 Unauthorized users Financial H 1. See controls for Invoice P 1. Rely on IP all
may be able to post loss Processing. Invoice
invoice transactions Processing tests.
into SAP.
2 Unauthorized access Financial H 1. SAP Security Profiles: P 1. List all users D3 1=S
to the Payment Output Only 3 A/P supervisors have with this profile
file. access. and review for
(Note: Payment reasonableness
Output File is the and proper
result of a formatted authorization.
payment batch. It
contains all of the
formatted payment
information, in report
format, to cut checks.
Access to the
directory should be
restricted or extremely
limited.)

3 Cash disbursement Financial H 1. Disbursement data is based P 1. Rely on 1 – all IP 1=S

details may be loss. on information provided during Invoice
inaccurate and invoice entry (either via FI or Processing 2,3 – D4
incomplete. Misstated MM module). controls.
financial
statements 2. Prior to the payment run, 2,3. Observe the
. SAP creates an exception documentation
report for invoices where existing to verify
mandatory fields are not supervisory
populated, and for invoices review of 2=
blocked for payment. payment O
proposal list and
3. The A/P supervisor reviews D exception list.
the Payment Proposal List
(RFZALI00) and the Exception
List (RFZALI10).

4 Inaccurate or H 1. Vendors with incomplete P 1. Select a VM3 1= S

incomplete vendor info will be manually blocked sample of
invoices may be paid. from payment by AP staff. unblocked
vendor files and
verify they have
the required
information.

5 Check number may H 1. The system captures the P 1. Select a 1 – D1 1=S

not be indicated in the check number in the document sample of
payment document allocation fields, and invoices and 2 – D2
during payment automatically prints the trace the check

14
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / D
Med
/
Low)
processing. number on the check. number back to
the record.
2. Check number is pre-printed
on manual checks. 2. Trace manual
check numbers
back to invoices
to make sure the
manual check
number was
entered.
6 Large or unusual Unauthori L 1. The Accounts Admin staff P 1. Select a 1 – D10 1, 2
payments may not be zed large approves all payments over sample of =S
blocked for payments. $100,000, and all payments to payments > 2 – D4
management review. 1-time vendors. D $100,000 and
verify Accounts
2. Procedures exist to review Admin
and approve invoices that are signature.
blocked.
2. Observe
check run and
verify checks
=>$100,000 are
approved by
Accounts
Admin.
7 Invoices selected for Financial H 1. The system is configured to P 1. Run a report 1 – D1 1, 2
payment may not be loss propose invoices that are due of all invoices =S
reviewed. for payment in the automatic due for a 2 – D4
payment run. A/P reviewer specific date,
approval is required before and compare
payment. that to the
D automatic
payment run.

2. Document
management’s
review of the
Payment
Proposal List
and Exception
List.
8 Payments could be Financial H 1. SAP automatically assigns a P 1. Select a 1 – D1 1, 2,
made more than once loss from clearing document number and sample of paid 3=S
for an invoice. duplicate clearing date when payment is invoices and 2 – D1
payments. made for open invoice item. verify they were
assigned a 3 – D1
2. SAP will not select cleared clearing
items for payment. document
number and
3. Print file disappears after it clearing date.
is printed, so checks can’t be

15
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / D
Med
/
Low)
printed again. 2. Test the
disbursement run
to make sure no
cleared items
were paid.

3. Document
that the print file
disappears after
it is printed.

9 Payments made are Misstated M 1. The FI accounts payable and P 1. Select a 1 – D1 1=S
posted to the wrong financial FI general ledger are fully sample of
accounts. statements integrated within SAP. A invoices and 2 – D1
. posting to the vendor account verify the g/l
will automatically post to the account entry.
appropriate reconciliation
account in the general ledger P 2. Review 2=
on a real time basis. GL activity in g/l O
account number 222000 is the account #220000
only reconciliation account. to verify all
invoices were
posted to FI-GL.
10 The check number in Financial H 1. SAP automatically assigns a P 1. Identify 1 – D2 &D4 1=S
the check register may loss due sequential check number to process for
not be updated. to the each check, and records it in assigning both 2 – D1
difficulty the register electronic and
reconcilin manual check 3 – D1
g bank 2. The check register is used P numbers.
accounts, to keep track of physical check 4 – D1
and numbers. 2. Review the 2=S
noting check register
missing 3. Procedures exist for for missing
checks. reviewing the check number in check numbers.
the check register. The
procedures cover: 3. Observe 3=
• Reviewing missing checks procedures for: O
or checks number not • reviewing
running in sequence; missing
• Reconcile check register checks or
after each check run; check
• Are spoiled manual checks numbers
retained; • reconciling
• Checks printed as check register
overflow documents are after each run
denoted as “void” • spoiled
• Payment is made by the checks
first check in the series • voided checks
only, and others are
denoted as “void”. 4. Verify SAP
reports all

16
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / D
Med
/
Low)
4. SAP reports all voided voided checks
checks during the check run, during the run. 4=S
and the AP Supervisor reviews
the report. 5. Document 5=S
the
5. The AP Supervisor reconciliation of
reconciles the number of Check register
checks from the check register and SAP Job
report to the count on the Job Log
Log.

11 The discount amount Financial M 1. The system automatically P 1. Select a 1 – D5 1=S

may be calculated loss. calculates discounts. sample of
incorrectly. invoices and
verify that the
appropriate
discount was
taken.
12 The transaction in the Financial L 1. The system assigns a P 1. Select a 1 – D1 1=S
system may be left as loss from clearing number and a clearing sample of paid
an open item even- duplicate document to close an invoices and
though payment has payments. outstanding transaction when verify they were
been made. payment is made. assigned a
clearing
document
number and
clearing date.
13 In the Check Print Financial H 1. Have not had to do a check P 1. Document 1 – D1 1=O
Restart and Reset loss due print restart yet. Could not any “check print
Payment Batch to validate. restart” events,
functions: discarding and verify
spoiled checks may spoiled spoiled checks
not be retained for checks. were retained
evidence as to restart. and checks were
Completeness of completed.
checks may not be
verified prior to
restart.

14 Checks issued to Financial M 1. Employees are grouped in a P 1. Select a 1 – D8 1-4 =

employees may be loss. separate account group. sample of checks S
inappropriate. paid to 2-4 – all IP
2. Supervisory approval P employees, and
required through workflow. verify proper
approval and
3. A/P audit review. D proper account
group.
4. Manual approval required D
on PCDs entered by A/P 2-4 Rely on
clerks. Invoice
Processing

17
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / D
Med
/
Low)
testing
15 Manual checks issued Financial H 1. Manual checks are recorded P 1. Take an 1-4 – D2 1=S
may not be recorded loss due in the SAP check register. inventory of the
in the system. to the manual checks,
difficulty 2. The City Controller reviews and verify all
reconcilin the SAP check list prior to the missing check
g bank release of manual checks. numbers are in
accounts, SAP and on the
and 3. An Accounts Admin staff manual log.
noting member reviews the log of
missing manual checks to ensure that 2. Document 2=O
checks. no checks are missing and all City Controller
numbers are entered. requires SAP
Check List prior
4. Blank check stock is to signing
secured. manual checks.

3. Verify 3=O
independent
review of
manual check
log.
4=S
4. Verify blank
checks are
secure.

16 Printed checks may be Financial M 1. The check printer is stored P 1. Observe the D1 1 =O
lost or stolen. loss in a public area, but is check run, and
supervised during the printing. review the
security methods
2. Checks are mailed out the used to make
same day they are printed. sure checks are
mailed out or
3. Printed checks kept for pick kept in a secure
up are kept in a secretary’s location.
desk, and locked in the safe for
the night.

17 Cancellation and re- Financial H 1. Controls are in place to D 1. Select a 1-3 – D11 1, 2,
issue of checks may loss. ensure that warrants already sample of re- 3=S
be improperly issued have not been cashed issued checks
processed. Misstatem before the re-issue of another and verify that
ent of warrant by checking with the the original
financial bank and SAP. D warrant was
statements never cashed.
. 2. Appropriate and authorized
documentation is received 2. Agree check
from the vendor for review information to
before the re-issue of another supporting
warrant. documentation.

18
 04/04/11
Accounts Payable Risk Matrices

N Risks Potential Risk Controls P Audit Steps Teammate SOC

o Negative (High / Ref
Results / D
Med
/
Low)

3. A/P supervisor checks 3. Verify

documentation and approves supervisor
transaction approval on all
re-issued checks.
18 The bank amount in Financial H 1. An independent person D 1. Document 1-2 - D9 1=
the books may not loss. reviews the bank reconciliation segregation of O
agree with the amount . duties between
at hand in bank. Misstated disbursements
financial 2. The bank account is and bank
statements reconciled automatically daily, reconciliation.
. with exceptions cleared
manually. 2. Select a 2=S
sample of
reconciliations
and review
unreconciled
items.
19 Signature stamp is Financial H 1. The signature stamp is kept 1. Verify the D2
used by an loss in a safe in Accounts Admin signature stamp
unauthorized person is secure.
20 Payment to vendor Financial M 1. AP provides Collections 1. Verify that D10
may be made when loss with a list of all checks => Treasury reviews
there is a large $100,000 daily for their all checks =>
outstanding receivable review. $100,000.
from that company
21 Credit memos due to 1. Finance staff performs a 1. Observe D7
Accounts Receivable separate payment run for credit credit memo run
customers may not be memos and document
processed properly issues.

19